Skip to main content
All authentication flags are optional when --null-auth is used. Otherwise, -u/--username and one of -p, --hashes, or --aesKey are required (except when using -k/--kerberos with --no-pass).

Flags

-u / --username
string
Username for authentication. Required unless --null-auth is set.
-p / --password
string
Password for authentication. One of --password, --hashes, or --aesKey is required unless using --null-auth or -k --no-pass.
-d / --domain
string
Domain name (e.g., corp.example.local). Required when using --audit mode.
--hashes
string
NTLM hashes in LMHASH:NTHASH format. The LM portion can be omitted or set to aad3b435b51404eeaad3b435b51404ee (empty LM). Used for pass-the-hash attacks.Format: [LM_HASH]:NT_HASH
--aesKey
string
AES-128 or AES-256 key for Kerberos authentication. Use instead of a password when you have an extracted AES key.
-k / --kerberos
boolean
default:"false"
Use Kerberos authentication. Reads the ccache file from the KRB5CCNAME environment variable when available. Combine with --no-pass to avoid a password prompt when using a ccache.
--krb-dc-only
boolean
default:"false"
Use Kerberos only for Domain Controllers; fall back to NTLM for all other hosts. RelayKing queries the AD Domain Controllers group to determine which hosts are DCs. Useful when DCs enforce Kerberos but workstations and member servers still accept NTLM.
--no-pass
boolean
default:"false"
Do not prompt for a password. Use this with -k/--kerberos when authenticating via a ccache file.
--dc-ip
string
IP address of a Domain Controller. Used for LDAP-based operations such as --audit and --ntlmv1. Also treated as a known DC target when --krb-dc-only is active.
-ns / --nameserver
string
Custom DNS server for hostname resolution. Useful when running through a SOCKS proxy where the default resolver cannot reach internal DNS.
--dns-tcp
boolean
default:"false"
Use TCP instead of UDP for DNS resolution. Useful when UDP is blocked or unreliable in the target environment.
--ldap
boolean
default:"false"
Force LDAP (port 389) for directory operations. By default, RelayKing auto-detects whether to use LDAP or LDAPS.
--ldaps
boolean
default:"false"
Force LDAPS (port 636) for directory operations.
--null-auth
boolean
default:"false"
Attempt null/anonymous authentication. When set, -u, -p, and domain are not required. Coercion vulnerabilities (--coerce) are only reported as confirmed findings when the coercion succeeds under null auth.
Cannot be combined with --coerce-all, which requires credentials for AD enumeration.

Examples

Standard username and password

python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local --dc-ip 10.0.0.1 --audit --protocols smb,ldap,ldaps

Pass-the-hash (NTLM)

python3 relayking.py -u administrator -d corp.example.local \
  --hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c \
  --dc-ip 10.0.0.1 --audit --protocols smb,ldap
You can also omit the LM portion: 
--hashes :8846f7eaee8fb117ad06bdd830b7586c

Kerberos with a ccache file

export KRB5CCNAME=/tmp/krb5cc_lowpriv
python3 relayking.py -u lowpriv -d corp.example.local --dc-ip 10.0.0.1 \
  -k --no-pass --audit --protocols smb,ldap,ldaps

Kerberos for DCs only

Authenticate to Domain Controllers with Kerberos and use NTLM for all other hosts: 
export KRB5CCNAME=/tmp/krb5cc_lowpriv
python3 relayking.py -u lowpriv -d corp.example.local --dc-ip 10.0.0.1 \
  -k --krb-dc-only --no-pass --audit --protocols smb,ldap,ldaps

Null authentication

Scan without credentials — useful for discovering open services and testing for anonymous access: 
python3 relayking.py --null-auth --protocols smb,ldap 10.0.0.0/24

Through a SOCKS proxy with custom DNS

proxychains python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local \
  --dc-ip 10.0.0.1 -ns 10.0.0.1 --dns-tcp --no-ping --audit --protocols smb,ldap,ldaps

Build docs developers (and LLMs) love

Get started for freeTalk to us